More than a week after researchers at Google detailed one of the most serious iPhone exploits in recent memory, Apple has responded.
In a statement published Friday, Apple went on the defensive, saying that Google researchers were "stoking fear" and had exaggerated the seriousness of the attack.
Cupertino's statement comes more than a week after Google's Project Zero researchers published a blog post detailing how malware embedded in specific websites could steal large amounts of personal data off users' iPhones. This included messages, both encrypted and otherwise, real-time GPS locations, and passwords.?
"We estimate that these sites receive thousands of visitors per week," Project Zero researcher Ian Beer wrote. Though Beer didn't elaborate on who may have been impacted by the malware, it was subsequently reported that it was a state-sponsored attack targeting China's Uighur Muslims.
In its statement, Apple noted that "the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones 'en masse' as described."?
"The attack affected fewer than a dozen websites that focus on content related to the Uighur community," Apple wrote. The company's statement makes no mention of China, where the government has been accused of widespread hacking in order to track the country's Muslim minority community.?
Though the malware could have infected any iPhone that visited the websites in question, Apple said Google overstated the scale of the exploit.?
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
The company also made a veiled dig at Google's Android operating system, writing, "iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software."
In a statement a Google spokesperson said it stands by its work: "We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online.”?
Apple's response, which comes just days before the launch of its new iPhones, was quickly criticized by many in the security community as being tone deaf.
Alex Stamos, Facebook's former chief security officer who is now a researcher at Stanford University, said the company's response "should be graded somewhere between 'disappointing' and 'disgusting.'"
Even if we accept Apple's framing that exploiting Uyghurs isn't as big a deal as Google makes it out to be, they have no idea whether these exploits were used by the PRC in more targeted situations. Dismissing such a possibility out of hand is extremely risky.
— Alex Stamos (@alexstamos) September 6, 2019
"Disputing Google's correct use of 'indiscriminate' when describing a watering hole attack smacks of 'it's ok, it didn't hit white people,'" Stamos tweeted. "It is possible that this data contributed to real people being 'reeducated' or even executed."
UPDATE: Sept. 6, 2019, 1:38 p.m. PT: Updated to add Google's statement and criticism from Alex Stamos.